Potential Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation

Last updated 2 months ago on 2025-11-19

Created 2 months ago on 2025-11-19

About

Identifies successful exploitation of CVE-2023-50164, a critical path traversal vulnerability in Apache Struts 2 file upload functionality. This high-fidelity rule detects a specific attack sequence where a malicious multipart/form-data POST request with WebKitFormBoundary is made to a Struts .action upload endpoint, immediately followed by the creation of a JSP web shell file by a Java process in Tomcat's webapps directories. This correlated activity indicates active exploitation resulting in remote code execution capability through unauthorized file upload and web shell deployment.

Tags

Domain: EndpointDomain: WebDomain: NetworkOS: LinuxUse Case: Threat DetectionTactic: Initial AccessTactic: PersistenceData Source: Elastic DefendData Source: Network TrafficLanguage: eql

Severity

high

Risk Score

MITRE ATT&CK™

Initial Access (TA0001)(external, opens in a new tab or window)

↳ Exploit Public-Facing Application (T1190)(external, opens in a new tab or window)

Persistence (TA0003)(external, opens in a new tab or window)

↳ Server Software Component (T1505)(external, opens in a new tab or window)

False Positive Examples

False positives are expected to be very rare due to the specific nature of this rule. Legitimate application deployments typically do not involve multipart form uploads to .action endpoints followed immediately by JSP file creation in webapps directories. However, custom deployment scripts or automated testing tools that simulate file uploads could potentially trigger this alert. Review the source IP, user agent, uploaded file content, timing, and deployment schedules to validate if the activity is authorized. Standard package manager operations are already excluded from detection.

License

Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type

Event Correlation Rule

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

logs-endpoint.events.*logs-network_traffic.*

Related Integrations

endpoint(external, opens in a new tab or window)

network_traffic(external, opens in a new tab or window)

Query

✄𐘗text code block:
✄𐘗sequence by agent.id with maxspan=10s
  [network where data_stream.dataset == "network_traffic.http" and
      http.request.method == "POST" and
      http.request.body.content like "*WebKitFormBoundary*" and
      url.path like~ "*upload*.action"]
  [file where event.dataset == "endpoint.events.file" and
      host.os.type == "linux" and
      event.action == "creation" and
      process.name == "java" and
      file.extension == "jsp" and
      file.path like "*/webapps/*" and
      not file.path like "*/WEB-INF/*" and
      not file.path like "*/META-INF/*" and
      not process.parent.name in ("apk", "apt", "apt-get", "dpkg", "yum", "rpm", "dnf", "systemd", "init")]

Install detection rules in Elastic Security

Detect Potential Webshell Deployed via Apache Struts CVE-2023-50164 Exploitation in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).